In recent years the use of cellular phones, smart phones, global positioning systems (GPS), personal data assistants (PDAs), laptop computers, and other such mobile units has increased dramatically. In any given enterprise, it is not uncommon for many thousands of mobile units to be present within the system. Extending business applications and data to mobile devices delivers a significant increase in employee productivity. It is therefore an expensive, time-consuming and critical task to administer large groups of mobile units, particularly when their use is important to day-to-day operation of the enterprise.
Recently companies have developed solutions that can allow network administrators to manage a group of enterprise mobile devices in a centralized manner, for instance, from a centralized Network Operations Center (NOC). For instance, Motorola, Inc. has developed a device management system called the Mobility Services Platform (MSP). MSP can dramatically reduce the time and cost associated with day-to-day management of mobile devices. Device management systems such as MSP can significantly reduce the time and cost required to manage a large number of mobile devices. This device management system can be used to manage hundreds of devices in a local site or tens or hundreds or thousands of mobile computers around the world from one centralized computer. Minimal hands-on time is required for staging of mobile devices for initial use, and ongoing provisioning and troubleshooting can be completely managed remotely via an anywhere and anytime web-based interface. Manual procedures are automated, eliminating errors. Among other things, MSP allows a network administrator to get devices up and running right out of the box, and ensures that devices are always loaded with the most current applications and operating system software. MSP enables a network administrator to constantly monitor and rapidly troubleshoot device issues to keep users up, running and productive.
For example, MSP offers advanced staging capabilities that provide the ability to configure network and device settings as well as load all operating systems and initial applications simply, easily, securely and remotely. Automated template-based configurations can be issued from a single point of control, enabling tens or hundreds or thousands of mobile devices around the world to be staged in minutes rather than months freeing up hundreds of hours (or more) previously spent on manual, error-prone efforts. Support for multiple device staging methods ensures one step simplicity for users, who can complete the staging by scanning a series of bar codes, performing an ActiveSync, docking the device in a cradle connected to a PC or computer network, or simply connecting to a pre-defined staging network.
Once mobile devices are up and running, MSP includes automated provisioning functionality to keep applications, device settings, operating systems and firmware on all mobile devices up to date with minimal effort or interaction from the end-user. Policy-based provisioning and over-the-air update capabilities can greatly reduce time and cost required to keep devices updated. Network administrators can keep devices updated by setting policies that define when mobile devices should upload their current status information (e.g., a complete inventory of all software on the device including applications as well as operating system information and device settings) to their associated relay server. Devices can be grouped by device type, type of user, operating system and location thereby providing the granular management capabilities needed to achieve maximum efficiency in the provisioning function.
The MSP also allows a network administrator to monitor and analyze mobile device statistics as well as troubleshoot and resolve day-to-day user issues regardless of whether those issues are related to the mobile device, applications or the wireless network. Historical and real-time metrics for the mobile device, as well as the network and the battery, enable proactive and real-time issue management that minimizes worker and mobile device downtime.
When deploying fleets of mobile devices within an enterprise, device security is increasingly a concern. Device security is of particular importance since mobile devices often reside on the extreme edge of the enterprise network and can therefore inadvertently provide a gateway into the enterprise. For instance, when an enterprise is dealing with especially sensitive data, such as payment information (e.g. credit and debit cardholder information) or medical information (e.g. patient information), the protection of that data is of paramount importance. Increasingly, applications that interact with such sensitive data are being mobilized in an effort to reduce costs and increase the quality and breadth of services provided. In such cases, the mobile device may become more than just an entry point into the enterprise network through which sensitive data could be accessed. The mobile device could become a repository for certain types of sensitive data. Even if sensitive data is never stored on the mobile device or is properly secured, such a mobile device is likely a participant in the exchange of such sensitive data. As such it becomes crucial that all aspects of the mobile device be thoroughly scrutinized as it relates to the protection of such data.
To help address potential security issues, mobile device management systems, such as MSP are increasingly becoming capable of configuring and managing the security configuration settings (or “security settings”) of devices both initially and over time. MSP allows a network administrator to control security settings (or security configuration settings) of a device, and also allows a network administrator to take complete control of a device, for instance, in the event a device is misplaced or does not check in with MSP at the appropriate time. The administrator can remotely lock and unlock devices to help protect sensitive data.
Notwithstanding these advances it is desirable to provide systems that can help maintain security by making sure that existing security policies are consistently enforced. It is generally understood that the mobilization of applications that access sensitive information requires careful planning to ensure that sensitive data is protected. Unfortunately, the adequate protection of such data often requires collaboration between system and application components in a manner that is beyond the control of either the system or the application. In such cases, solutions can be and are being developed, but they tend to be custom solutions that are expensive to create and difficult to validate. In any such system, it is important, but can be difficult, to demonstrate conclusively that the solution provides the security demanded of it, both initially, at the time of deployment, and on a continuing basis once the solution is in production use.
Accordingly, it is desirable to provide improved systems and methods for ensuring that all of the devices in an enterprise network remain in compliance with the security policies or standards of an enterprise. Furthermore, other desirable features and characteristics of the present invention will become apparent from the subsequent detailed description and the appended claims, taken in conjunction with the accompanying drawings and the foregoing technical field and background.